Building a CHAP Login System: Coding Server-Side Random Seeds
Welcome to the second part of “Building a CHAP login system.” In three parts, this series introduces the basics of building a web-based login system that uses the Challenge Handshake Authentication Protocol (hence the CHAP acronyms), explaining its benefits, and exploring its implementation.
Building a CHAP Login System: Coding Server-Side Random Seeds - Stepping back: a quick look at the previous CHAP login system (Page 2 of 4 )
In order to see how client authentication is carried out, let’s step back for a while to the CHAP login system developed in the first part of the series. In addition to refreshing previously deployed concepts, it will be useful for retaking the development flow and building an improved login mechanism.
Having clarified that, here is the pertinent example:
* Begin of server-side processing
// start or resume a session
// store random value in session variable
* End of server-side processing
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
As you can see with the above script, the server generates a semi-random challenge string, which is “sent” to the client by simply setting up a “challenge” session variable. Then, the client uses this value to append to the MD5 hashed password and builds a new string, which is hashed again and finally transmitted to the server. As you’ve seen, the “doCHAP()” function is responsible for performing the encryption of data, by utilizing the “MD5()” function included within the corresponding “md5.js” library. Also, data validation is basically applied through the “showError()” function. To finish, the “doCHAP()” function is attached to the “onsubmit()” event handler, when the page finishes loading, as you can appreciate in the portion of code below:
* execute 'doCHAP()' function when page is loaded
var W3CDOM=document.getElementById&&document. getElementsByTagName&&document.createElement;
With the CHAP login program doing the hard work for encrypting the password along with the challenge value, a hard-coded server authentication PHP script might be written down that is as simple as this:
As I explained before, the server performs the same MD5 calculations on its side, in order to authenticate the credentials the client is passing on. If the calculated value matches the hashed string sent by the client along with its ID, then the user has logged in successfully. Otherwise, the client is simply refused.
Although this may sound like a paradox, the approach is often based on creating on the fly the “challenge” field, instead of hard-coding it within the markup itself, and next making the server check its existence. With reference to this method, the logic of the server script might be reprogrammed to handle either scripting-enabled or disabled user agents with the same ease. It’s up to you to implement the method that best suits your needs.
Now that I’ve configured a basic yet functional CHAP login system, I’ll move forward to the implementation of a slightly more complex script, in order to provide both client and server code with an efficient random seed generator, as well as using some DOM constructs to update the verification process applied to form data. Thus, join me in the next explanation to find out how this is done.